Budget Android device models that are counterfeit versions associated with popular smartphone brands have several Trojans designed to target WhatsApp and WhatsApp Business messaging apps.
The malware, which Doctor Web first came across in July 2022, was discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u and Mate40, was
“These incidents are united by the fact that the attacked devices were copies of well-known branded models,” the cyber security firm said in a report published today.
“Furthermore, instead of having one of the latest OS versions installed on them with the corresponding information shown in the device details (such as Android 10), they had the long-outdated 4.4.2 version.”
In particular, the tampering concerns two files “/system/lib/libcutils.so” and “/system/lib/libmtd.so” which are modified in such a way that when the system library libcutils.so is used by an app, the execution of a Trojan that is included in libmtd.so.
If the apps using the libraries are WhatsApp and WhatsApp Business, libmtd.so proceeds to launch a third backdoor whose main responsibility is to download and install additional plugins from a remote server on the compromised devices.
“The danger with the discovered backdoors and the modules they download is that they work in such a way that they actually become part of the targeted apps,” the researchers said.
“As a result, they gain access to the attacked apps’ files and can read chats, send spam, eavesdrop and listen to phone conversations and perform other malicious actions, depending on the functionality of the downloaded modules.”
On the other hand, should the app using the libraries turn out to be wpa_supplicant – a system daemon used to manage network connections – libmtd.so is configured to start a local server that allows connections from a remote or local client via “mysh” ” console.
Doctor Web theorized that system partition implants could have been distributed via a Trojan that is part of the FakeUpdates (aka SocGholish) malware family based on the discovery of a backdoor built into the system application responsible for over-the-air (OTA) firmware updates.
The rogue app, on the other hand, is designed to exfiltrate detailed metadata about the infected device, as well as download and install other software without the users’ knowledge via Lua scripts.
To avoid the risk of becoming a victim of such malware attacks, it is recommended that users purchase mobile devices only from official stores and legitimate distributors.
